cycbot | 21b8a8dd505a8dd08f6fd19a85fa423a45510ba2cce72829c0424f0bea14c1b6

General

Target

JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
Size

187KB
MD5

2c5f7086829d2325aa9ccd2fec679cd9
SHA1

7b6168437cb5a73c1b26254aa065da6bf6f7d539
SHA256

21b8a8dd505a8dd08f6fd19a85fa423a45510ba2cce72829c0424f0bea14c1b6
SHA512

7d2636ed9c6673e0d13bffde5ad0a41f649c88ac7c97c0c670e8f5d87dbf29ee312d2af91860252a7a33a9821e9b9b6f85a59ad8d7104c1c9b4ef618a91fba4f
SSDEEP

3072:EiTwWW0AYX9dbOKLCNh072GeTm9sZuKp2nPSqgPXWL+T5hC:EiT97diKeCa52Cth

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1660-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1660-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1388-148-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1660-323-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1660-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1660-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1660-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1388-148-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1660-323-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3000	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	82
PID 1660 wrote to memory of 3000	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	82
PID 1660 wrote to memory of 3000	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	82
PID 1660 wrote to memory of 1388	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	85
PID 1660 wrote to memory of 1388	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	85
PID 1660 wrote to memory of 1388	1660	JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe startC:\Program Files (x86)\LP\059F\000.exe%C:\Program Files (x86)\LP\059F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c5f7086829d2325aa9ccd2fec679cd9.exe startC:\Users\Admin\AppData\Roaming\F2F77\77105.exe%C:\Users\Admin\AppData\Roaming\F2F77
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F2F77\7B4E.2F7

Filesize
996B

MD5
e8c74656dd470c27a176e7073a456087

SHA1
d9d8315b72bb20fa02787a09de7f142998502a5a

SHA256
43ed4939476a434e8504737d047f0aec37b968eb062167a5e4dfed3ce77f0277

SHA512
216607afcd9af301ab5af4ab728011537baa2ccee2a2fc243d8068dd668a6d9940c9ff7f49986b6f785c37e36503d8a25d78fd8d13e653a8e3cb1a896bbc6da2

Download Submit
C:\Users\Admin\AppData\Roaming\F2F77\7B4E.2F7

Filesize
600B

MD5
fa1bf35d7b4c9e507be57757b80e0f86

SHA1
64d7ae25cc1fcefccefac4be6ca9f465f37b7082

SHA256
3de77addc708c8eb45b524d9162168b71fda60acbbfa5f2fbf304fc645f7b0f7

SHA512
9b1ee47a99d726f6eb294a6b085dedeaa639b73958f73f4fc2797b766050f7296c72421dc00a31218049847966e7387167b6e5ab01dfbb1f502f7ec719a944a2

Download Submit
C:\Users\Admin\AppData\Roaming\F2F77\7B4E.2F7

Filesize
1KB

MD5
14e344f0133010bd6e0ed44f8bbd7c5f

SHA1
c01ad913f8bbdf7f83b0d7614cada431654e4db7

SHA256
d27018092dafc287180399ef6fce2143927be8ac9e676a6ad36d6fe5856d6b31

SHA512
c521ed4404b77d816d60edfda572f990768cf6d0fdff97652143c05aaa105107af321bf525a4160aef263cf49d8fec83707734940364f83becadc1d97ddf5816

Download Submit
C:\Users\Admin\AppData\Roaming\F2F77\7B4E.2F7

Filesize
300B

MD5
f2d9f91998cdbd372410e91ae03c2c9c

SHA1
34f466a2694068ff77babf00e08733a21a269449

SHA256
8cda8c572640d42e002b22f571605adb6dd5e6a1555f51f81a7f6c4755fee9df

SHA512
2df3a60a180e1b52969209d58f6cc18f8c1e3767eb2aa65229ea7c730a8e699d83e96494b73109f8dcd84034f5a02a0bd76c3861ce49c750bc518ad0eb025e5a

Download Submit
memory/1388-148-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1660-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1660-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1660-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1660-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1660-323-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing